From ddfda64826800a7b737fa161fd9d793fa6b42f06 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 18 Mar 2020 22:07:33 -0400
Subject: imap-dl: use retriever.authentication configuration

After discussion with Sean Whitton and Robbie Harwood, I think makes
more sense to have a straight "retriever.authentication" configuration
setting rather than a rather odd boolean "use_kerberos".

This is a divergence from getmail, but that seems OK at this point.

The implementation now also makes it pretty straightforward to add new
authentication mechanisms if someone wants to add them.

One additional thing that would be nice would be for imap-dl to be
able to dynamically choose the "best" available authentication method.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthorseman.net>
---
 imap-dl | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

(limited to 'imap-dl')

diff --git a/imap-dl b/imap-dl
index 83ce84f..4f5abbb 100755
--- a/imap-dl
+++ b/imap-dl
@@ -185,12 +185,21 @@ def scan_msgs(configfile:str, verbose:bool) -> None:
                            port=int(conf.get('retriever', 'port', fallback=993)),
                            ssl_context=ctx) as imap:
         username:str = conf.get('retriever', 'username')
-        use_kerberos = conf.getboolean('retriever', 'use_kerberos',
-                                       fallback=False)
-        if use_kerberos:
+        authentication:str = conf.get('retriever', 'authentication',
+                                      fallback='basic')
+        # FIXME: have the default automatically choose an opinionated
+        # best authentication method.  e.g., if the gssapi module is
+        # installed and the user has a reasonable identity in their
+        # local credential cache, choose kerberos, otherwise, choose
+        # "basic".
+        if authentication == 'kerberos':
             auth_gssapi(username, imap, conf, server)
-        else:
+        elif authentication == 'basic':
             auth_builtin(username, imap, conf, server)
+        else:
+            # FIXME: implement other authentication mechanisms
+            raise Exception(f'retriever.authentication should be one of:\n'
+                            '"basic" or "kerberos", got "{authentication}"')
 
         if verbose: # only enable debugging after login to avoid leaking credentials in the log
             imap.debug = 4
-- 
cgit v1.2.3